veracode static scan
Runs a Veracode Static Analysis scan and outputs any flaws found as a JSON file. This command returns exit code 3 if any flaws are found matching the specified criteria.
This command does not initiate a Static Analysis (SAST) scan (Upload and Scan) in the Veracode Platform. It runs a Static Analysis using Pipeline Scan. To integrate Static Analysis scans in the Veracode Platform using the API wrapper, see uploadandscan
.
Usage
veracode static scan <file_path> [flags]
Arguments
Argument | Description |
---|---|
file_path | Location of the package file that contains your application source code. Ensure the file meets the packaging requirements. |
General Flags
Flags available on all commands.
Flag | Description |
---|---|
-h, --help | Displays help for this command. |
-v, --verbose | Displays detailed output. |
Analytics Flags
Optional flags for querying runs with Veracode Analytics.
Flag | Description |
---|---|
--app-id | Application profile ID for the application you want to upload and scan. |
--development-stage | Specifies the development stage when the scan runs. Values are case-sensitive: Development , Testing , and Release . |
--project-name | Name of the CI/CD repository running a scan. This flag adds the repository name to the scan results, which can help track scans across repositories. |
--project-ref | Source control reference, revision, or branch of the CI/CD repository running a scan. |
--project-url | URL of the CI/CD repository running a scan. |
GitLab Flags
Optional flags for specific behavior to improve integration with GitLab.
Flag | Description |
---|---|
--gl-issue-generation | Enter true to create GitLab issues from discovered flaws. Default is false . Before you can use this flag, you must configure GitLab. |
--gl-vulnerability-generation | Enter true to create a JSON file from the scan results. GitLab imports flaws from this JSON file as vulnerabilities. Default is false . To use this flag, you must define the paths and reports settings in the GitLab CI. |
Policy and Output Flags
Optional flags to control the output or application of policy.
Flag | Description |
---|---|
--baseline-file | Location of a JSON file with results from a previous scan. Default filename is results.json . To create a baseline file, include --results-file . The new results only include flaws not listed in the baseline file. |
--fail-on-cwe | Comma-separated list of CWE IDs. The scan results only include flaws of the specified CWEs. |
--fail-on-severity | Comma-separated list of severities. The results only include flaws of the specified severities. By default, all severities are included. Values are Very High , High , Medium , Low , and Very Low . |
--policy-file | Name of a local policy file you want to apply to the scan results. To download a policy, use the policy command. |
--results-file | Filename or location to save the scan results as a JSON file. By default, the results are saved to ./results.json . |
--summary-output | Filename or location to save the scan results as a human-readable file. This file is not saved by default. |
Scanning Flags
Optional flag to control the scope of analysis.
Flag | Description |
---|---|
--include | Enter a case-sensitive, comma-separated list of name patterns that represent the names of the modules to scan as top-level modules. Veracode identifies these modules during prescan. The * wildcard matches zero or more characters. The ? wildcard matches exactly one character. For example, to include various module names that contain module : --include "module 1, module-*, module2.jar" The scan results show the names of the modules that Veracode identified and the modules included in the scan. This flag does not pause, stop, or impact the performance of your pipeline. |
Examples
To scan a Java JAR file and output flaws to results.json
, run:
veracode static scan my_java_application/build/project.jar
To scan a Python ZIP file and filter the results by severity and CWE ID, run:
veracode static scan my-python-project.zip --fail-on-cwe "89,117" --fail-on-severity "Very High, High"
To scan a Java class file but only include results not included in a baseline file, run:
veracode static scan my_java_application/build/IgnoreCommand.class --baseline-file "baseline-results.json"
To create a baseline file and use it in a subsequent scan, run:
veracode static scan example.jar --results-file "baseline.json"
veracode static scan example.jar --baseline-file "baseline.json"
To scan a Python ZIP file and apply policy Veracode Recommended High, run:
veracode static scan my-python-project.zip --policy-file "Veracode Recommended High.json"